Vulnerabilities in DJI drone manufacturer

Researchers at a cybersecurity and digital forensics firm identified a couple vulnerabilities in the website and apps of the popular drone manufacturer DJI. A vulnerability was revealed last Thursday, after the company managed to patch the security error. However, the time it took the company to fully address the flaw was about six months.

According to reports of specialists in digital forensics from the International Institute of Cyber Security, to be exploited, an attacker could obtain free access to the data storage in the cloud of the account of any drones owner, including videos, maps, devices logs and even live streaming through the DJI FlightHub fleet management system. All this could have happened without alerting the legitimate user. However, now that DJI has corrected the flaw, details of the dangerous vulnerability in DJI’s Drone Web application have been revealed.

In addition, attackers may have easily synchronized user confidential data, including flight and location logs. Experts in digital forensics and cybersecurity identified the flaw in March 2018 and notified DJI about it without publicly revealing the problem, according to the standard followed by all security firms. The Chinese manufacturer corrected this vulnerability in September.

An attacker could also have launched an account-hijacking attack by exploiting the three vulnerabilities identified in the DJI infrastructure. This includes a secure cookie bug, an SSL identification problem in the company’s mobile application, and a cross-site scripting failure in the company’s online forum.

Cookie error could allow a hacker to steal logon cookies by inserting a malicious JavaScript into the DJI forum through XSS vulnerability. After capturing login cookies, which might have included authentication tokens, they can be used again to gain access to and control of a user’s account. In addition, an attacker could easily access DJI GO/4/pilot mobile applications and DJI Flighthub’s centralized drone operations.

Attackers could have compromised mobile apps only after intercepting application traffic. This would have been necessary to omit the implementation of SSL fixation through a Man-in-the-Middle attack launched against the DJI server.

Subsequent investigations revealed that when analyzing the drone’s flight record files, an attacker could have obtained more information about the angle and location of the photograph taken during the flight of one of these devices, including the Location of the user’s home, the last known location and more details.

The vulnerability was finally classified by DJI as a high risk failure, but of low probability of being exploited, because to exploit it successfully, a user was required to log into the DJI account after clicking on a malicious link specially designed published in the DJI forum. The company claims that there is no indication that the fault has been exploited in a real scenario.